Skip to content

Coercion and Windows Recall

Noted by on his . Last updated . Changelog


The best ways to improve opsec against coercion are to:

  • Limit what can be taken (reduce what’s stored on a device).
  • Fake what you do have: use duress passwords or secondary devices.
  • Last resort: use a hardware key that’s deliberately easy to lose or break, so there’s potentially no key to give up in a rubber-hose attack.

There’s overlap between the three. A duress password temporarily limits what’s stored on a device, and losing a decryption key is more or less the same as instantly wiping encrypted data to reduce what you have to offer. All come down to having less data to give when coerced into giving what you have. Operating systems should also obey this principle by storing as little offline data as possible, and providing duress safeguards for what must be stored.

Windows Recall captures an amount of offline telemetry comparable to parental-control apps often used to control human trafficking victims: the data encompass everything potential victims do on their machines, without any duress protections. Presenting such a feature as opt-out seems like it’s almost designed to hurt victims.

The decision-makers behind features like Recall, or invasive child-monitoring spyware, have likely never experienced this type of abuse. Or perhaps they are the abusive party at home.